-
-
Notifications
You must be signed in to change notification settings - Fork 180
33 lines (31 loc) · 1.42 KB
/
export_secrets.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
---
# yamllint disable rule:line-length
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: Backup secrets (to OpenSSL encrypted file)
on: # yamllint disable-line rule:truthy
workflow_dispatch:
jobs:
backup_secrets:
runs-on: ubuntu-latest
steps:
- name: Backup secrets
env:
SECRETS: ${{ toJSON(secrets) }}
VARS: ${{ toJSON(vars) }}
OPENSSL_ITER: 1000
OPENSSL_PASS: ${{ secrets.SECRET_EXPORT_OPENSSL_PASSWORD }}
run: |
echo "$SECRETS" | tee secrets.txt
echo "$VARS" | tee vars.txt
openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter $OPENSSL_ITER -salt -in secrets.txt -out secrets.enc.txt -pass pass:$OPENSSL_PASS
openssl enc -aes-256-cbc -md sha512 -pbkdf2 -iter $OPENSSL_ITER -salt -in vars.txt -out vars.enc.txt -pass pass:$OPENSSL_PASS
echo "To decrypt the secrets, use the following command(s):"
echo "openssl enc -aes-256-cbc -d -md sha512 -pbkdf2 -iter $OPENSSL_ITER -salt -in secrets.enc.txt -out secrets.txt -pass pass:<your_password>"
echo "openssl enc -aes-256-cbc -d -md sha512 -pbkdf2 -iter $OPENSSL_ITER -salt -in vars.enc.txt -out vars.txt -pass pass:<your_password>"
- name: Upload encrypted secrets
uses: actions/upload-artifact@v4
with:
name: exports
path: |
secrets.enc.txt
vars.enc.txt